after long time I find new job , and they want me I make NAT server for internet sharing . so I want use FreeBSD with PF,
they want me only make NAT and do not block ports , they want all ports must be open , and they want only NAT , and do not want block by PF , can I use these rules for make NAT only or no
please help me to improve this rule

can I use this rule for NAT ?
I want only NAT and I do not want another thing like block torrent ports or something else

I would be grateful if you can help my to modify this rule , I think this rule has a lot of problems
do you think I need add some rules to this rules or no ?
for has better NAT with high performance , what I must do ?

Many years ago, on bsdforums.org, I helped somebody, who had the same problem as you. He thought that his Internet cafe had a fixed IP while it was not. When he restarted the pf router/firewall everything worked again for a few hours.

Because your external IP is fixed, that cannot be the problem

What is the use of these rules?:

Code:

SERVER = "10.10.10.200"
NAT1 = "10.10.10.194"
NAT2 = "10.10.10.195"
[snip]
NAT23 = "10.10.10.217"
NAT24 = "10.10.10.218"
NAT25 = "10.10.10.219"
nat pass on $ext_if from $paltalk1 to any -> $NAT1
nat pass on $ext_if from $paltalk2 to any -> $NAT2
nat pass on $ext_if from $paltalk3 to any -> $NAT3
nat pass on $ext_if from $webdsgn1 to any -> $NAT4
[snip]
nat pass on $ext_if from $webdsgn8 to any -> $NAT11
nat pass on $ext_if from $rased1 to any -> $NAT12
nat pass on $ext_if from $rased2 to any -> $NAT13
[snip]
nat pass on $ext_if from $rased7 to any -> $NAT18
nat pass on $ext_if from $rased8 to any -> $NAT19
nat pass on $ext_if from $admin1 to any -> $NAT20
nat pass on $ext_if from $admin2 to any -> $NAT21

The "paltalk", "webdsgn", "rased" and "admin" hosts/groups are all on the 192.168.0.0/24 network.

Many years ago, on bsdforums.org, I helped somebody, who had the same problem as you. He thought that his Internet cafe had a fixed IP while it was not. When he restarted the pf router/firewall everything worked again for a few hours.

Because your external IP is fixed, that cannot be the problem

What is the use of these rules?:

Code:

SERVER = "10.10.10.200"
NAT1 = "10.10.10.194"
NAT2 = "10.10.10.195"
[snip]
NAT23 = "10.10.10.217"
NAT24 = "10.10.10.218"
NAT25 = "10.10.10.219"
nat pass on $ext_if from $paltalk1 to any -> $NAT1
nat pass on $ext_if from $paltalk2 to any -> $NAT2
nat pass on $ext_if from $paltalk3 to any -> $NAT3
nat pass on $ext_if from $webdsgn1 to any -> $NAT4
[snip]
nat pass on $ext_if from $webdsgn8 to any -> $NAT11
nat pass on $ext_if from $rased1 to any -> $NAT12
nat pass on $ext_if from $rased2 to any -> $NAT13
[snip]
nat pass on $ext_if from $rased7 to any -> $NAT18
nat pass on $ext_if from $rased8 to any -> $NAT19
nat pass on $ext_if from $admin1 to any -> $NAT20
nat pass on $ext_if from $admin2 to any -> $NAT21

The "paltalk", "webdsgn", "rased" and "admin" hosts/groups are all on the 192.168.0.0/24 network.

Why do you have to NAT for each host individually?
You can do it with one single statement :

Code:

# --- NAT
nat on $ext_if from !$ext_if

I have to use NAT each host individually. because in my work place all of user use paltalk , paltalk is messenger for voice chat and all of user use this messenger for voice chat , in paltalk you can find many room for chat about different subject ,
paltalk server do not let user to login or use three room from one IP ,and only let users login from 3 room with one IP and when somebody want login with another room , they discard it , so I have to make different NAT

When the connections hang again, but before you to restart pf, you could do the following two things;

redirect the pfctl -s info output to file and investigate that.

redirect the output of pfctl -vvsr to file for diagnosis

FreeBSD has a rather old version of pf. You could try to get the latest OpenBSD release 5.0 and see whether that solves the problem. Be aware though, that in OpenBSD 4.7 the NAT/RDR syntax has changed. See http://www.openbsd.org/faq/pf/nat.html

__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump